Internet Edge Router and the Firewall

What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?
We want to pull more information from the edge router like netflow.  We can use SNMPv3 and ACLs to keep the router secure.
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.
I am running an ASA and a 2821.

I'd start with locking down the router configuration if you haven't already. Cisco Configuration Professional (free) offers a nice GUI for analyzing and delivering all the necessary commands to secure the router.
Getting Netflow from your router doesn't add much more than getting it from your ASA.
If you're querying through the firewall to the routers using SNMPv3 (and have deleted the v1/v2 communities) that's one good step. The only other thing I might suggest is sending syslogs to your management system from the router. To do that you'll need to add an access-list and probably a NAT entry to your firewall to allow the incoming syslog traffic.
Most important beyond all the technology is to make sure that your people follow a process to regularly analyze and act upon the information being reported and gathered. Without that all the rest isn't worth the time it take to implement it.

Similar Messages

  • I have a Linksys WRV200 wireless router and the wireless signal is not working properly so I cannot connect to the internet wirelessly. the wireless light has a fast green blinking light. how can I fix the router?

    I have a Linksys WRV200 wireless router and the wireless signal is not working properly so I am unable to connect to the internet wirelessly.  The wireless light is blinking green very quickly and I connect and disconnect from the network constantly.  How do I get the router to work properly

    Hello James,
    The flashing WLAN light means activity (data getting transferred). Try disconnecting all your devices and check whether the light is still flashing or disconnect the router from internet and do the check.
    Do you have your SSID as linksys or the default one? If your neighbor has the same SSID, then traffic could result from your neighbor's one. Try changing your SSID and password. Make your security WPA/WPA2.
    Hope this helps,
    Thanks
    Vijay

  • Download connections doesn't close after I cancel the download, it keep like I am download and only close when I disable the network adapter or reset the router or the firewall

    download connections doesn't close after I cancel the download, it keep like I am downloading and only close when I disable the network adapter or reset the router or the firewall.
    I use pfsense as my firewall and see the traffic not reseting to zero when I cancel download.
    Also, IE doesn't have this problem. When I cancel the download the traffic drops to zero.

    And this problem seems to be systemwide. Since I created a new user and under which problem still exists.
    Hope apple will look into it

  • Should I block icmp on my edge router or my firewall?

    Originally, we were blocking icmp traffic on our edge router (2811), but recently we changed this to block on the firewall (ASA) instead. I've been told that blocking on the router would cause too much overhead on the router, since it's now having to inspect all traffic, and the firewall was better equipped for this.
    What is industry standard? What does Cisco recommend?

    Something like this, although I would recommend posting this to the firewall forum for confirmation.
    ! deny non-initial ICMP Fragments
    access-list 101 deny icmp any any fragments
    ! permit "dest unreachable" messages
    access-list 101 permit icmp any any 3
    ! permit "Time exceeded" message
    access-list 101 permit icmp any any 11
    ! permit "source quench" message
    access-list 101 permit icmp any any 4
    ! permit "parameter problem" message
    access-list 101 permit icmp any any 12
    ! permit "echo reply" messages
    access-list 101 permit icmp any any 0
    ! deny all other icmp
    access-list 101 deny icmp any any
    You might consider tightening up the destination unreachables too. They would look something like this for each type and code you want to allow:
    ! permit "dest unreach - port unreach" messages
    acccess-list 101 permit icmp any any 3 3
    see here:
    http://www.iana.org/assignments/icmp-parameters

  • I havea WRT350N Wireless Router and the DynDNS Service is...

    I havea WRT350N Wireless Router and the DynDNS Service is not
    resolving the correct Internet IP Address, is resolving to a local IP and
    I see it on the DDNS Page on my Router Setup Screen.  I'm
    trying to connect to my DVR from a Remote Site with my DynDNS
    Client in my computer but I could not do it.  Port 80 (my DVR WAN
    Port) is Open and redirected to my DVR local IP, my DynDNS Account
    is working fine but theres no way that I could access my DVR or even
    my Router if I activate the Remote Management Capabilities.

    The best source to ask is HughesNet. According to their web site the HNS7000S is a router. Instructions how to set up a home network can be found here.
    I cannot find instructions how to set up DDNS on the HN70000S router. The suggested setup in the KB article link above won't help you with that either. I don't know whether it is possible with HughesNet to put the router into bridge mode and set up the WRT for internet. It may not be possible at all. But you have to check with HughesNet.

  • I set up a new router and the windows machines have no problem with connectivity.  I go through the MacBook Pro's airport assistant and view my network and then enter the WPA2 password.  I get back a message saying the password is incorrect when it is

    I set up a new router and the windows machines connect fine.  My MacBook Pro does not.  I go through the airport assistant and see the network yet when I enter the router WPA password I get a message back saying that the password is incorrect.  And, it isn't!  Very frustrating.  What can I do as I had the same problem after I tried to reinstall my last router.  Again, only on the Mac.  Thanks!

    If you kept the same Base Station name and network name, that can confuse Keychain Access. Either change the Base Station and network name, or open Keychain Access Utility and delete any reference to your Base Station and network name. Make sure you delete from the Login and System keychains.

  • I just purchased an Apple TV.  I have a pc running windows 7.  It is connected to a router and the router is connected to a wireless router.  I connect my iPhone, iPad and apple tv to wireless network but do not know how to put the pc on the wifi network

    I just purchased an Apple TV.  I have a pc running windows 7.  It is connected to a router and the router is connected to a wireless router.  I connect my iPhone, iPad and apple tv to wireless network but do not know how to put the pc on the wifi network so the Apple TV can do home share.

    I don't mean to be facetious but sometimes the simplest things are overlooked.  To connect to your library you have to have the computer where the iTunes library is located running and with iTunes open.  It also needs to be on the same network.  My network is dual band and works with either stream but a friend of mine does not.  He has to set the computer and the Apple TV to the same band.  Hope this helps.

  • Driver Scanner will not update, there is a problem with proxy sttings and the firewall

    Driver Scanner will not update. It says there is a problem in connecting to the Uniblue browser.
    Also there is a problem with the proxy set up and the firewall.

    With that one, let's try getting an installer log to the Apple engineers for a look.
    1. Open a command prompt window. (Start menu -> Run. Type in "cmd". Hit return.)
    2. Drag and drop iTunesSetup.exe onto the window so that the full pathname of the file is at the command line prompt.
    3. Type in a space, then the following line:
    /l*v C:\log.txt
    4. Hit return.
    5. The installer will create a log file:
    C:\log.txt
    Find that file and send it as an attachment to this email address: [email protected]
    in the email to Roy, be sure to include the following information:
    - A link to the thread on Apple Discussions where the issue is being discussed
    - The username you are using in the thread
    - The version of iTunes you are using or trying to use
    - the version of Windows you are using (mention service packs)
    - A concise description of the issue you are seeing
    - The exact text of the error message you are seeing

  • My Wi-Fi just says connecting, but never connects. I've rebooted the router and the phone.

    Well that was it. My Wi-Fi just says connecting but never connects. I've rebooted the router and the phone. LG G2

        ETea,
    Sorry to hear about the trouble with Wi-Fi. Let's get you connecting again. Are other Wi-Fi capable devices able to connect without issue? Go to Settings and touch Wi-Fi. Touch your network and select "Forget." Touch "Search" on the bottom. Once the phone detects the network again, touch the network, enter your password and select connect. Let us know if you get connected.
    BrianP_VZW
    Follow Us on Twitter @VZWSupport

  • HT1552 Im setting up a server with the port 25565 and im doing it with Port Map but the problwem is i cant seem to get it to work with my router. it goes through my macmini to the router and the expansion hardrive

    Im setting up a server with the port 25565 and im doing it with Port Map but the problwem is i cant seem to get it to work with my router. it goes through my macmini to the router and the expansion hardrive

    Im setting up a server with the port 25565 and im doing it with Port Map but the problwem is i cant seem to get it to work with my router. it goes through my macmini to the router and the expansion hardrive

  • TMG Traffic For a Specific IP isn't leaving the server despite valid routes and no firewall

    Hi,
     I'm struggling to troubleshoot a TMG networking issue:
    I have a TMG server setup in my DMZ. Inbound traffic hits the a 3rd party firewall router, goes to the TMG server and is then routed back through the 3rd party firewall router to my internal network. I've setup web publishing rules and listeners for IIS
    sites and SMTP traffic using a different IP to listen for 2 different websites and another IP for SMTP.
    The issue I have is that my TMG server can't ping a server on the internal network on a specific IP:
    TMG can ping 192.168.11.190
    TMG cannot ping 192.168.11.191
    Firewall rules are configured to permit traffic (no deny connections are shown in the monitor).
    tracert and pings to 192.168.11.190 hit the internal IP of the 3rd party router
    tracert to 192.168.11.191 simply responds with * * * * before timing out
    Monitoring from within TMG shows the correct IP is being used in both cases (internal NIC 192.168.10.10).
    A route print from TMG has a valid route to the internal network:
    (network)192.168.11.128 (mask) 255.255.255.128 (gateway) 192.168.10.126
    In summary:
     - TMG can ping 192.168.11.190, but not 192.168.11.191
     - Valid routes exists 
     - No firewall rules are blocking communication
     - Traffic to 192.168.11.191 doesn't seem to be leaving the TMG server 
    Any advice on solving this would be appreciated.
    Cheers

    It can have many reasons, but it appears to me you are having a routing issue. I can't say for sure, because I don't have the entire IP Addressing sheme. I assume you have used separate subnets for the External DMZ and Internal DMZ.
    Have you configured the 192.168.11.128/25 subnet as a correct 'Address' range 192.168.11.128 - 192.168.11.255 on the 'Internal' interface within TMG?
    Boudewijn Plomp | BPMi Infrastructure & Security
    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

  • Internet edge router & IPS

    I am looking for some recommended settings or pointers for what to enable on an Internet facing edge router (ISR). Currently the defaults have pretty much been accepted with regards to the IPS setup. The router was configured initially from the CLI and I am happy with this part, but all the IPS stuff was configured from SDM. At the moment it just reports for the 338 default enabled Signatures, however it can be configured to react (drop or reset connections). I am just looking for some recommendations or pointers as to what should be enabled.
    I have noticed a performance hit with IPS enabled but nothing too bad, the main bottleneck is the ISP link.
    Thanks
    Andy

    Andy,
    Generally Cisco only deny packets for the signatures which correspond to the attack sig section,also many of those would be only sending a log message rather then denying the packet.This is done to keep only the relevant signatures enabled and dropping traffic and to avoid false positives.For most of the networks,these settings would be good enough.Intergrating an ips solution into ur n/w is an ongoing process rather then one time implementation.U would need to keep an eye on the events,change the sig. accordingly for a typical cycle of 2 months.So,if you see an event which refers to an ongoing attack,enable the sig.At other times,keep it disabled as it would save a lot of cpu/memory cycles on ips ( and would save permormance bottlenack )

  • Wireless Router and the Mac

    Quick question. I just installed a Linksys Wireless Router and voila, I am wirelessly connected. Right out of the box.
    Question: Are our Macs automatically protected from "outsiders" or do we have to do something manually?
    Re: One Intel iMac and one Mac Book Pro. The Router is connected to my one and only PC in the house. This PC is "wired" as it has no wireless card. I want to keep it this way. Just want my Macs wireless.
    Thanks for your help.
    Intel iMac 17" and Mac Book Pro   Mac OS X (10.4.6)  

    Thank you all for all your help. I was able to get to the Setp Up page of my Router and rename the Router and create a new password. I also disabled Broadcast. And yes, I enabled Firewall.
    I noticed now that the signal in my bedroom for my MacBook Pro is rather weak - sometimes I can't connect at all. Could this be because of my disabling Broadcast? Is there something I can use to boost my signal in the bedroom such as an antenna?
    The signal was fine on Sunday when I first plugged in the Router out of the box without any modifications.
    Again, thank you all for your help.
    Jenise

  • Providing internet through router and still keep IP

    I have a problem with my knowledge about this not being enough
    The situation is this.
    I have two computers connected to the internet via a Linksys WRT59GX v.2. The internet is with a non static IP, so i have the computers on automaticly optaining IP and router on DHCP.
    From here i have two problems. One being is that without static IP's on the computers, i am having trouble getting the ethernet to work between the two computers, while still on the internet.
    The other problem is that i want to get my FTP (from when i had static IP internet provider) up and running again, and for that i need a static IP correct?
    Is there some way that i can get the router to connect to the internet (there is no logon procedure), and then share it between the computers, and have them have static IP's? And with that configuration, would it be possible to have an FTP running from behind the router?
    Thanks for reading and i would really apriciate any assistance.

    Let's verify a few things here. You connect your modem to the internet port of the router. That moment your router is the device that connects to the internet. The router must be setup to use DHCP to get an IP address from your ISP.
    Once you have the router connected this way it has nothing to do with your computer anymore or that IP address it has. The router creates a new private network on the LAN side. This private IP address range is 192.168.1.1-255. You do not log into the internet with your computer or ethernet card anymore. You simply set up a local ethernet connection. That's all. In most cases it is enough to simply plug in the cable and that's it. You do not log into your ISP from your computer anymore. If it is setup to dial automatically, you must disable that. The internet connection is always there as the router handles that now.
    Again: the automatic IP address setting of your computer has a different "meaning" once you are connected to your router as it is now about your private LAN and not the internet anymore.
    I suggest you configure static IP addresses as I suggested before. Also check the router's status page to see if it has an internet connection.
    And: you can run a FTP server with static IP, however you must change the port forwarding in your router each time the computer gets a different IP address.

  • Adding a router to the firewall exceptions?

    This message keeps repeating endlessly in var/log/ipfw.log:
    65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0
    Jun 21 09:46:47 ipfw[311]:  65534 Deny P:88 2xx.10.46.1 224.0.0.10 in via en0
    The xx IP in line 2 is my router. How can I stop this error?
    Thanks for your time - it's much appreciated.

    First off, it's not an error. At least not technically.
    The traffic it's reporting is merely standard BOOTP/DHCP traffic. I'm guessing your router is also your network's DHCP server and it's sending out normal broadcast traffic as part of its DHCP-related duties.
    If you want to stop the logging, either set a rule in the firewall with a no-log option, or turn off the firewall altogether - if you're on a private LAN protected by a hardware firewall there it little to gain in running the software firewall on your server.

Maybe you are looking for